diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2014-02-28 22:03:29 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-03-05 10:40:39 +0100 |
| commit | 6b45ec3f31773ee7a229d5bb56675badc2d8fd55 (patch) | |
| tree | 2727ed4eddef145e1f75c2f8f14ff8ea30b4a492 /daemons | |
| parent | 0ca6653c299c75f5215cc37c6b129ce58a85e8df (diff) | |
| download | freeipa-6b45ec3f31773ee7a229d5bb56675badc2d8fd55.tar.gz freeipa-6b45ec3f31773ee7a229d5bb56675badc2d8fd55.tar.xz freeipa-6b45ec3f31773ee7a229d5bb56675badc2d8fd55.zip | |
fix filtering of subdomain-based trust users
https://fedorahosted.org/freeipa/ticket/4207
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Diffstat (limited to 'daemons')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 41 |
1 files changed, 32 insertions, 9 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 9137cd5ad..68f27f0e2 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -806,6 +806,12 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext, krb5_error_code kerr; enum ndr_err_code ndr_err; + /* When no client entry is there, we cannot generate MS-PAC */ + if (!client) { + *pac = NULL; + return 0; + } + ipactx = ipadb_get_context(kcontext); if (!ipactx) { return KRB5_KDB_DBNOTINITED; @@ -1534,6 +1540,12 @@ static krb5_error_code ipadb_add_transited_service(krb5_context context, uint32_t i; char *tmpstr; + /* When proxy is NULL, authdata flag on the service principal was cleared + * by an admin. We don't generate MS-PAC in this case */ + if (proxy == NULL) { + return 0; + } + tmpctx = talloc_new(NULL); if (!tmpctx) { kerr = ENOMEM; @@ -1731,6 +1743,12 @@ static krb5_error_code ipadb_verify_pac(krb5_context context, } if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { + if (proxy == NULL) { + *pac = NULL; + kerr = 0; + goto done; + } + kerr = ipadb_add_transited_service(context, proxy, server, old_pac, new_pac); if (kerr) { @@ -1986,20 +2004,27 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, krb5_db_entry *client_entry = NULL; - /* When client is NULL, authdata flag on the service principal was cleared - * by an admin. We don't generate MS-PAC in this case */ - if (client == NULL) { - *signed_auth_data = NULL; - return 0; - } + is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); /* When using s4u2proxy client_princ actually refers to the proxied user * while client->princ to the proxy service asking for the TGS on behalf * of the proxied user. So always use client_princ in preference */ if (client_princ != NULL) { ks_client_princ = client_princ; - kerr = ipadb_get_principal(context, client_princ, flags, &client_entry); + if (!is_as_req) { + kerr = ipadb_get_principal(context, client_princ, flags, &client_entry); + /* If we didn't find client_princ in our database, it might be: + * - a principal from another realm, handle it down in ipadb_get/verify_pac() + */ + if (!kerr) { + client_entry = NULL; + } + } } else { + if (client == NULL) { + *signed_auth_data = NULL; + return 0; + } ks_client_princ = client->princ; } @@ -2014,8 +2039,6 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, "currently not supported."); } - is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); - if (is_as_req && with_pac && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) { /* Be aggressive here: special case for discovering range type * immediately after establishing the trust by IPA framework */ |